Email address: The Online ID

1 week ago 10


I’m not going to give a history class on how they came to be what they are now, almost identifies on the world wide web.

I recently stumbled upon an application that at first striked me as a website worthy of anyone’s trust. Why? It had “the padlock” next to it’s URL. The site claimed to offer anyone literate enough and able to afford a 500 fee an opportunity to “hussle”. Well, the purpose of this article is not to snitch but to share my thoughts on what many might see as paranoia.

Those who know, know that privacy is only but a myth sold to us by parties hungry for our data. Fear mongering ain’t my intention either.

Before I start blubbering about this issue that I’m very passionate about let me get to the purpose of this article, email addresses.

I want to share a story of a site that almost effortlessly leaked the email addresses of more than a thousand users with a potential to leak even more. On this day, I wasn’t looking to poke the application in any way. Just a forgetful user who needed to reset his password, I found myself on a page prompting me to change another user’s account. To make matters even worse, this page disclosed the email address of that user. Shocked with this weird behavior, it hit me. The email address I thought I used to create the account, wasn’t the one I issued to reset it’s password. The only sense I could make out of this was, the application didn’t check if my email existed and instead just sent me a link to reset a random user’s account. The site claiming to handle payments to users using it to “hussle”, jobs and user data such as their names, phone numbers, and email addresses was easily susceptible to sensitive information disclosure.

Discovering this, I tried to contact the owners of the site to no effect. It’s either they snobbed me or even worse, they don’t even care enough to read emails from their customers. This is very unfortunate and I feel very sorry for the users using the platform to hussle. let’s say a malicious actor stumbles upon this and exploit’s it. This actor could change the details of exposed users, maybe prompt for withdrawals to a number they control and completely takeover these users accounts and guess what, the users would be helpless as the owners don’t even do the least: check their emails.

For those who have been around the infosec community long enough know how malicious threat actors can be. Users whose emails are leaked could fall prey to phishing campaigns. I mean, the actor already has a context to use to trick the users into doing whatever they want and even further compromise them.

Most sites use email addresses to identify users. Back to the fact that email addresses are like our online IDs. All these being said, how comfortable are you this info being publicly disclosed like this?

How can we avoid this? How could we possibly mitigate against this? Is hard to say. What I personally do is never use my email to register accounts on fishy websites even if they have the classic padlock against their URLs. But how do we know that these site are not trustworthy? In some cases it’s easy to identify by doing your due diligence while in others it’s not. How can we find out. This article isn’t sponsored by any company, but what I personally use is Proton mail which gives you a burner email address that helps you protect your personal email address from such threats.

As I said, my purpose was not to spread paranoia. Value and protect your personal emails as much as you would protect your national identification cards. Stay safe!

Read Entire Article